Documente Academic
Documente Profesional
Documente Cultură
Stephen Kost
Chief Technology Officer Integrigy Corporation
Agenda
General Oracle Security Oracle Applications SOX IT Challenges SOX Technical Compliance Model Oracle Security Patches (CPUs)
DBAs and system admins have little time for security Oracle Applications is often customized or extended Security tasks and testing are often late in the application implementation life-cycle
IT Security Challenges
No granularity in database model APPS account APPS account used for all end-user access and most administration (adpatch, adadmin, etc.) Many default account passwords and default configuration settings that are not secure Poor segregation of system administration duties Too many Keys to the Kingdom
UNIX root, oracle, applmgr Database system, sys, apps, applsys Applications any account with sysadmin responsibility
Mission Critical Applications ... ... Mission Critical Security
IT Security Challenges
No auditing enabled by default
Only creation and last update audited, no history
Auditing must be done at both the database and application level Potential severe performance issues if auditing is not carefully designed must including purging and reporting in design
1. Security
1.2 Segregation of Duties
1.5 OS Security
Operational Processes
2.4 OS Auditing
3.1 Application
3.2 Database
4. Change Management
4.2 Application Configuration 4.4 Database Configuration
5. Patching
5.4 OS Patches
6. Development
6.1 Application
6.2 Database
6.3 Web
Security patches are released as Critical Patch Updates on a quarterly basis 6 so far = 200+ security bugs
CPU includes anywhere from 20 to 70 bugs fixes Next CPUs July 18, 2006 and October 17, 2006
10
Oracle includes fix in quarterly CPU From report to security patch release is 6 months to 3 years
Bug fixed
Bugs are rarely fixed in under 6 months Time to fix is not decreasing with move to CPUs
11
Specific advice
Integrigy releases guidance for each CPU on our website Each CPU has unique issues and requirements, thus need to be evaluated independently
13
References
Oracle Best Practices for Securing Oracle EBusiness Suite 3.0.2 Metalink Note 189367.1
Many sections written by Integrigy (see page ii) Assumes at least 11.5.9 with many patches Comprehensive, but contains some errors and omissions
Integrigy Background
Extensive experience with Oracle Applications
Founded by former Big-6 consultants with significant experience on Oracle Applications implementations in Fortune 500 companies Founders recognized a major gap in all implementations little or no security auditing done on projects Integrigy has found more security bugs in Oracle Applications than anyone else inside or outside of Oracle
15
AppDefend
Application firewall and intrusion prevention system for ERP packages Blocks common attacks like SQL injection, session hijacking, and cross site scripting Blocks access to unimplemented Oracle Applications modules
16
Contact Information
Website: www.integrigy.com Integrigy Corporation P.O. Box 81545 Chicago, Illinois 60681 888/542-4802 Sales: sales@integrigy.com Development: development@integrigy.com Support: support@integrigy.com Security Alerts: alerts@integrigy.com
17